I know how hard it is for recent college graduates to snag that first big interview, so a big congratulations to you. That’s the first step to entering the cyber security profession.  I also know how intimidating it can be trying to prepare for it.  I figured I’d share some of the experiences I’ve had as both the interviewee and interviewer so that you can get a better idea of what to expect when the moment comes.

I’m sure you’ve learned the interviewing basics by now, and I won’t bore all of you with those details.  Just in case, you can find a good article here on basic interview preparation.  As with any interview, you can expect to be asked the standard, non-infosec questions as well so be sure to prep yourself for those too.  I’ll spend most of the time focusing on the information security aspects of the interviews.

Résumé

When I’m looking over a resume, there are a couple things that I like to see.  The first thing I’ll look for (besides education) is some kind of technology summary describing what tools/programs you’ve had experience with.  It gives me an overview of your experience and an idea of the variety of that experience.  It’s important for potential employers to plainly see your skill set, and that’s the first step.  This summary can include software/programs, concepts, programming/scripting languages, etc.  Mine looks like this:

Technology Summary

Concepts and Principles: Web Application Penetration Testing, Vulnerability Assessment, PCI DSS Compliance, Object Oriented Design, Test-Driven Design, Agile Software Development

Languages: Primary knowledge and proficiency in Java; some experience with C++, Python, SQL, JavaScript, Scheme, HTML

Software Application: Rational Appscan, OWASP-ZAP, Fiddler Intercepting Proxy, Fortify, Burp Suite Pro, Wireshark, Aircrack-ng, Wifite, Ettercap, Tessercap, Splunk

Platforms: Windows, Linux, iOS

Think about how long it took you to read that section and how much information you got out of it.  It’s a convenient section that allows the reader to to understand you and your experience at a high level with out having to read through paragraphs looking for the details.

Another helpful section is a list of any projects you’ve completed outside of your professional/educational career.  It shows the reader that you have a strong interest in cyber security and that you continue to learn outside of the work place.  It really impresses the reader (including myself) when a candidate has taken what they’ve learned and continued educating themselves in their spare time.  I’d avoid writing a paragraph, and instead give an list of details making sure to emphasize the topics you learned, for example:

Database Management Project:

• Developed a fully functioning SQL database for a faux company.

• Designed the ERD diagram, normalized data structures and accompanying queries.

The Interview

Now for the fun part. The actual interview will vary depending on the company, and it will most likely be in two steps: a phone interview followed by an in-person interview.  I’ve had a three step interview which had a technical assessment in between (super fun, loved it).

My biggest recommendation is to read up on the topics related to your field.  You’ll get a lot of technical questions, especially in the in-person interview.  Many interviewers like to use an “onion” approach when asking questions.  They’ll peel back layer by layer until the interviewee can’t answer the question, for example:

Q: Can you define Cross-Site Scripting?

A: Cross-Site Scripting enables attackers to inject client-side script into web pages viewed by other users.

Q: How would some one exploit a Cross-Site Scripting vulnerability?

A: An attack can use the vulnerability to steal session cookies if the secure flag is not set.

Q: How would you remediate it?

A: Honestly, I’m not sure.

And at that point they would stop and move to a different topic. It’s okay to not know everything.  They may even pull in topics outside of your area of expertise, but you can be honest and let them know you’re not sure.  I’ve compiled a list of common questions that I’ve asked/been asked before.  Some are technical, and some are more general knowledge on the profession.

What’s the difference between encryption and hashing?

• Encryption is designed purely for confidentiality and is reversible only if you have the appropriate key/keys. With hashing the operation is one-way (non-reversible), and the output is of a fixed length that is usually much smaller than the input.

What is salting and why is it used?

• They will probably leave this question out of context. Salting is used when hashing values.  You append a unique value to each element that is being hashed, that way (if we’re using passwords as an example) no two matching elements will result in the same hash (e.g. if two uses have the password “Password123”, they will have different hash values).

What port does ping work over?

• Trick question. Ping uses ICMP which is a layer 3 protocol and doesn’t use a port.

In cryptography, what is the main method of building a shared secret over a public medium and what is it vulnerable to?

• Diffie –Hellman and a man-in-the-middle attack.

What is a cross site request forgery and how do you defend against it?

• The victim is tricked by the attacker into issuing a request through the victim’s browser (such as adding a user to an application). This relies on the victim being logged in and having the proper privileges to issue the request.
• Defense: using a cross site request forgery token or nonce.

What is cross site scripting and how to you defend against it?

• It enables attackers to inject client-side script into web pages viewed by other users.
• Defense: Input validation or exfiltration (entity encoding, so that it’s treated as data, not scripts).

Name as many ports as you can.

• Know your ports. Know your ports. Know your ports.

Name as many HTTP methods as you can.

• Get, post, head, option, lock, unlock, delete, put, copy, move, etc.

What is DNS and how does it work?

• Domain name system, which translates domain names to IP addresses. Look up the process of how it actually finds the associated IP address.

Where do you get your security news from?

• Well you’re reading my blog right? Maybe you even follow me on Twitter.  But definitely look up some of the top information security companies and find a good source that you can name drop.

Who do you look up to in the security field?

• Know a couple names and who they work for and what they have done. I said RSnake, he works for White Hat Security, and I read a book he co-wrote on Cross Site Scripting.

What’s worse, a false positive or false negative?

• Always a false negative. That means you’ve missed something and someone else found it and you’ve probably got a breach on your hands.

In the information security field, what does CIA stand for?

• Confidentiality, Integrity, and Availability

Which is a more effective testing method, black box or white box?

• There’s not really a right answer here.  They’re most likely checking to see if you know what they mean.  Black box testing means you go into your assessment with no prior information.  Basically, it simulates a real-world attack.  On the other hand, white box testing gets all the information you need.  This will lead to more targeted and thorough tests.

Which is more fun, red team or blue team?

• Again, no right answer.  In short, red team are the attackers and blue team are the defenders.

Well I hope this helped at least a little bit.  The biggest thing is to just keep calm and think your answers through.  Thanks for reading.